Enhancing Cyber Resilience of Small and Medium-sized Enterprises through Cyber Security Communities of Support
Lead Research Organisation:
University of Nottingham
Department Name: School of Computer Science
Abstract
Small and Medium-sized Enterprises (SMEs) are a vital element of the economy, accounting for 99.9% of UK businesses, generating three fifths of employment and turnover of £2.3 trillion. They are a crucial asset requiring protection as part of our overall national resilience. Unfortunately, the UK Cyber Security Breaches Survey indicates that half of small and a third of micro businesses experienced breaches or attacks in the last year. Moreover, while they frequently seek external guidance in relation to cyber security, they do so via a huge range of sources, and often find themselves overwhelmed with information and unable to understand the advice. Research is required to better understand SME needs and the perspective of those that they turn to for support, and to then use these insights as a foundation for the design and evaluation of a new and more accessible approach.
The research begins with an investigation of the support needs of small businesses, to establish their current understanding and confidence around cyber security, and their awareness and perceptions of available support. The investigation will seek to determine the scenarios in which cyber security advice is sought (e.g. during product evaluation, at point of purchase, in response to threats and incidents), and whether it is deemed effective. In parallel, the project analyses support routes available to these businesses, with focus upon the coverage and consistency of advice, as well as the confidence and capacity of those providing it. This will include a range of online and in-person sources, in order to capture the diversity of routes that businesses themselves tend to pursue, and will include those specifically designated to provide support (e.g. Cyber Resilience Centres) and those that may find themselves facing cyber security queries when potentially less well-placed to handle them (e.g. retailers).
From these foundations, the research then conducts more detailed analysis of business and advisor experiences by tracking individual support journeys as they occur. This offers more direct intelligence on the nature and volume of support being sought, as well as the extent to which the requests led to an effective outcome. The analysis delivers a series of case studies identifying factors that led to successful or unsuccessful outcomes.
The findings inform activities to enhance support provision through the design, implementation and pilot evaluation of Cyber Security Communities of Support (CyCOS), representing local collaboration and cooperation between SMEs and advisory sources. The foundations include the creation of an online Support Broker, enabling the SMEs to identify support needs and contact advisory sources positioned to help them (which, as the community develops and grows in experience, may include peer support from other SMEs). In parallel, the project offers upskilling opportunities for advisors and interested SMEs, via foundational cyber security certification to increase their related knowledge and capability. The project will then trial the operation of the CyCOS via three pilots. This will enable practical evaluation of the approach, culminating an established and repeatable model that can then be adopted more widely.
The delivery of the research is supported by relevant industry partners, including those providing expertise and resources to support the CyCOS, and those offering channels for engagement with the SME community. Partner representatives will form an Advisory Board, meeting regularly throughout the project, offering input and feedback to further guide the activities.
The resulting 30-month project contributes to national resilience by addressing an area of existing vulnerability and potential compromise. It will enhance understanding of SMEs' cyber security support needs and the ability to address them, while enabling SMEs themselves to recognise and embrace a core aspect of their digital responsibility.
The research begins with an investigation of the support needs of small businesses, to establish their current understanding and confidence around cyber security, and their awareness and perceptions of available support. The investigation will seek to determine the scenarios in which cyber security advice is sought (e.g. during product evaluation, at point of purchase, in response to threats and incidents), and whether it is deemed effective. In parallel, the project analyses support routes available to these businesses, with focus upon the coverage and consistency of advice, as well as the confidence and capacity of those providing it. This will include a range of online and in-person sources, in order to capture the diversity of routes that businesses themselves tend to pursue, and will include those specifically designated to provide support (e.g. Cyber Resilience Centres) and those that may find themselves facing cyber security queries when potentially less well-placed to handle them (e.g. retailers).
From these foundations, the research then conducts more detailed analysis of business and advisor experiences by tracking individual support journeys as they occur. This offers more direct intelligence on the nature and volume of support being sought, as well as the extent to which the requests led to an effective outcome. The analysis delivers a series of case studies identifying factors that led to successful or unsuccessful outcomes.
The findings inform activities to enhance support provision through the design, implementation and pilot evaluation of Cyber Security Communities of Support (CyCOS), representing local collaboration and cooperation between SMEs and advisory sources. The foundations include the creation of an online Support Broker, enabling the SMEs to identify support needs and contact advisory sources positioned to help them (which, as the community develops and grows in experience, may include peer support from other SMEs). In parallel, the project offers upskilling opportunities for advisors and interested SMEs, via foundational cyber security certification to increase their related knowledge and capability. The project will then trial the operation of the CyCOS via three pilots. This will enable practical evaluation of the approach, culminating an established and repeatable model that can then be adopted more widely.
The delivery of the research is supported by relevant industry partners, including those providing expertise and resources to support the CyCOS, and those offering channels for engagement with the SME community. Partner representatives will form an Advisory Board, meeting regularly throughout the project, offering input and feedback to further guide the activities.
The resulting 30-month project contributes to national resilience by addressing an area of existing vulnerability and potential compromise. It will enhance understanding of SMEs' cyber security support needs and the ability to address them, while enabling SMEs themselves to recognise and embrace a core aspect of their digital responsibility.
Organisations
- University of Nottingham (Lead Research Organisation)
- National Cyber Security Centre (Collaboration)
- (ISC)2 (Project Partner)
- Cyber Resilience Centre for London (Project Partner)
- Centre for the New Midlands (Project Partner)
- Eastern Cyber Resilience Centre (Project Partner)
- HOME OFFICE (Project Partner)
- Chartered Institute of Info Security (Project Partner)
- The IASME Consortium Ltd (Project Partner)
Description | Collaboration with National Cyber Security Centre |
Organisation | National Cyber Security Centre |
Country | United Kingdom |
Sector | Public |
PI Contribution | Including the NCSC within the Advisory Board for the CyCOS project. |
Collaborator Contribution | The project has established a dialogue with the NCSC's Small Organisations Resilience Economy and Society team, and a member of the team has been added to the CyCOS Advisory Board. |
Impact | N/A at this stage. |
Start Year | 2024 |
Description | Centre for New Midlands web article |
Form Of Engagement Activity | Engagement focused website, blog or social media channel |
Part Of Official Scheme? | No |
Geographic Reach | Regional |
Primary Audience | Industry/Business |
Results and Impact | An article entitled "Enhancing Cyber Security Support for SMEs", authored by the CyCOS project team and posted on the website for the Centre for the New Midlands (one of the supporting partners of the project) on 5 March 2024. The article presented summary findings from the investigation and assessment of online sources of SME cyber security advice and guidance, as well as promoting engagement opportunities with project (e.g. the SME survey). |
Year(s) Of Engagement Activity | 2024 |
URL | https://www.thenewmidlands.org.uk/enhancing-cyber-support-sme |
Description | CyCOS project website |
Form Of Engagement Activity | Engagement focused website, blog or social media channel |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Industry/Business |
Results and Impact | A website set up to support the CyCOS project and act as a point of presence. Contains (amongst other things) details of the project objectives, the research team, and links to related outputs. Also offers a route for establishing contact with the team members. |
Year(s) Of Engagement Activity | 2023 |
URL | http://www.cycos.org |
Description | IT Security Guru website article |
Form Of Engagement Activity | A magazine, newsletter or online publication |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | An article entitled "SME Cyber Security - Time for a New Approach?", appearing on the T Security Guru website on 21 September 2023. The piece was linked to the talk being delivered within the Global Cyber Summit at the International Cyber Expo 2023, and explained the need to enhance security for the SME community, and highlighted the related work being undertaken within the CyCOS project. |
Year(s) Of Engagement Activity | 2023 |
URL | https://www.itsecurityguru.org/2023/09/21/sme-cyber-security-time-for-a-new-approach/ |
Description | Infosecurity |
Form Of Engagement Activity | A magazine, newsletter or online publication |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | An interview-based article with Infosecurity Europe website (entitled "Why is Academia Important to Cybersecurity?" and published on 6 October 2023). Although it is not the primary focus, the CyCOS project receives attention at the end of the piece, as an example of current research in which academia is contributing to cybersecurity more widely. |
Year(s) Of Engagement Activity | 2023 |
URL | https://www.infosecurityeurope.com/en-gb/blog/future-thinking/academia-importance-to-cybersecurity.h... |
Description | Innovation News Network article |
Form Of Engagement Activity | A magazine, newsletter or online publication |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Industry/Business |
Results and Impact | An article entitled "Funding awarded to help small businesses improve cyber security", published on the Innovation News Network website, on 17 August 2023 announcing the award of the funding (based on content drawn from press releases made by the participating universities). |
Year(s) Of Engagement Activity | 2023 |
URL | https://www.innovationnewsnetwork.com/funding-awarded-help-small-businesses-improve-cyber-security/3... |
Description | Invited talk to University of Nottingham Business Network |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | Regional |
Primary Audience | Industry/Business |
Results and Impact | A presentation delivered to an audience of SMEs and other regional stakeholders, invited through the University of Nottingham Business Network. The talk, entitled "Cyber Security Why me, I'm an SME?", took place on 5 December 2023 and presented security considerations that are relevant to SMEs and highlighted the role that CyCOS aims to play. It also invited participation in the related data collection activities for the project involving SMEs and cyber advisors. |
Year(s) Of Engagement Activity | 2023 |
URL | https://www.nottingham.ac.uk/workingwithbusiness/business-network/events/2023-12-05.aspx |
Description | Keynote presentation at ICOCO 2023 conference |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Industry/Business |
Results and Impact | Invited keynote presentation at the 2023 IEEE Computing Conference (ICOCO 2023), organised by the IEEE Computer Society Malaysia, and held on Lankawi island from 9-12 October 2023. The talk (entitled "Small is vulnerable? The cybersecurity challenges of SMEs") was delivered on 10 October, and focused on cyber security from the perspective of SMEs and the work that the CyCOS project is doing to offer an additional route for support in this area. |
Year(s) Of Engagement Activity | 2023 |
URL | https://ieeecomputer.my/icoco2023/programmes/ |
Description | Presentation at International Cyber Expo 2023 |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Industry/Business |
Results and Impact | The activity was a presentation delivered in the Global Cyber Summit stream of the International Cyber Expo event at Olympia, London. The talk was specifically focused around the planned work within the CyCOS project, and invited contact for later participation in the related survey and interview activities. |
Year(s) Of Engagement Activity | 2023 |
Description | Professional Security Magazine Online article |
Form Of Engagement Activity | A magazine, newsletter or online publication |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | An article entitled "Unis to look at SMEs and cyber advice", published by Professional Security Magazine Online on 21 August 2023, announcing the award of the funding (based on content drawn from press releases made by the participating universities). |
Year(s) Of Engagement Activity | 2023 |
URL | https://professionalsecurity.co.uk/news/education/unis-to-look-at-smes-and-cyber-advice/ |
Description | RISCS Annual Conference poster |
Form Of Engagement Activity | Participation in an activity, workshop or similar |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Professional Practitioners |
Results and Impact | A poster entitled "Coverage, Completeness, and Clarity of Cyber Security Guidance for SMEs", presented at the RISCS Annual Conference on 13 March 2024. The poster focuses on the key findings from the CyCOS project's assessment of online cyber security advice/guidance sources for SMEs, and was presented by Dr Neeshé Khan during the event. |
Year(s) Of Engagement Activity | 2024 |
URL | https://riscs.org.uk/2024/02/02/poster-call-deadline-16-feb-2024-riscs-annual-conference-march-2024-... |